January 25 2008 Seminar on Information Security, Compliance and Digital Surveillance

1200 RT 22 E , SUITE 2000, BRIDGEWATER, NJ 08807PHONE: 908-203-4678, FAX: 908-292-1181

[email protected]://CONSULTANTGURUS.COM

January 25 2008

Seminar on Information Security, Compliance and Digital Surveillance

mailto:[email protected]

http://consultantgurus.com/

Your bridge to all things technology and compliance!

Consultantgurus

Your bridge to all things technology and compliance


The Consultantgurus Philosophy

•Evangelists for secure computing

•Secure the wider base, and the larger players automatically become more secure

•Education is the best defense

•Security is a process, not an event

•Technology changes, security remains a concern at all times

•Attackers will stay as long as there is value offered

•User will store only that which has value

•..and hence, attackers will always be around


Negatives first

•Growing threat landscape

•Need for networked access

•Increasing complexity in simple technological solutions

•Compliance concerns

•The carrot and the stick

•Growing information needs require increased spend

•This spend increases complexity

•Adding technology compounds vulnerability


Top 10 cyber security menaces for 2008

The SANS Institute has drawn up its list of looming security dangers facingorganizations and their information-technology defenders.

1. increasingly sophisticated Web site attacks that exploit browser vulnerabilities.

2. increasing sophistication and effectiveness in botnets.

3. cyber espionage efforts by well-resourced organizations looking to extract large amounts of data, particularly using targeted phishing.

4. Mobile phone threats, especially against iPhones and android-based phones.

5. insider attacks, initiated by rogue employees, consultants or contractors.


Top 10 cyber security menaces for 2008…continued

6. advanced identity theft from persistent bots.

7. increasingly malicious spyware.

8. Web application security exploits (for cross-site scripting, sql injection).

9. increasingly sophisticated social engineering, including blending phishing with VoiP and event phishing.

10. supply-chain attacks infecting consumer devices (usb thumb drives, gps systems) distributed by trusted organizations.


Wireless networks – and the pervasive environment(O’Reilly – 7 problems with wireless networks)

Problem #1: Easy Access

Problem #2: "Rogue" Access Points

Problem #3: Unauthorized Use of Service

Problem #4: Service and Performance Constraints

Problem #5: MAC Spoofing and Session Hijacking

Problem #6: Traffic Analysis and Eavesdropping

Problem #7: Higher Level Attacks

Source: http://www.oreillynet.com/pub/a/wireless/2002/05/24/wlan.html

http://www.oreillynet.com/pub/a/wireless/2002/05/24/wlan.html


Increasing use of information demands better and yet more secure access

The need of the day – Enable universal access without compromising security or integrity of information

This is achievable

What are we protecting, and what are we providing?

Simplify, simplify, simplify

Do we need more technology? Have we used all our infrastructure provides?

Is obsolescence accounted for? Is virtualization an option?


Security starts with the basics

Is the core software security-aware?

Does the organization recognize the benefits of security?

Security is not witchcraft – and it is not a black art

Security enables better productivity by allowing correct results the first time, every time.

Has security been applied as a bandage? How do we fix the situation then?


The what and why

What am I protecting?

Why am I protecting it?

The business case

How does technology impact the core business?

Is learning agility built into the infrastructure?

Can the infrastructure adapt to the changing technology landscape? How often is change and redesign necessitated? How often was good technology ignored due to incompatibility issues? What was the business/opportunity lost?


Who needs protection

The standalone disconnected setupWill be connectedDanger of theftNeed support – can come from anywhere globallyStart it all right

The small networkInformation stored is the honey attracting the attacker beesIs data secure in all states – at rest, in transit and during use

The large infrastructureComplexity causes critical areas to be overlookedBusiness case sometimes justifies overlooking securityProtect by simplifying and ensuring all components and

interconnects are secure


Security – cost and benefit

Security as a process, not an event

Education – the most important component of security

Simplify, and minimize pathways to ensure best security

The caveman-to-modern-man analogy

Benefit is improved productivity

Simple systems and components need lesser maintenance

The KISS philosophy still works


Compliance

Today, compliance is a large driver for security efforts

Compliance inherent in a properly secured infrastructure

Cost / benefits of compliance

The global compliance quandary – e.g. SOX vs. EU Privacy directive

The complex compliance landscape


Computer Security Act of 1987 (P.L. 100-235) - http://www.epic.org/crypto/csa/csa.html

Federal Information Security Management Act of 2002 (FISMA)(Public Law 107-347, Title III, 116 Stat. 2899, 2946) - http://csrc.nist.gov/policies/FISMA-final.pdf

Homeland Security Act of 2002 (Public Law 107-296, 116 Stat. 2135) - http://www.whitehouse.gov/deptofhomeland/bill/hsl-bill.pdf

UK Data Protection Act of 1998 - http://www.opsi.gov.uk/ACTS/acts1998/19980029.htm

European Union Data Protection Directive (EUDPD) - http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm

UK – Computer Misuse Act of 1990 - http://www.opsi.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm

http://www.epic.org/crypto/csa/csa.html

http://www.epic.org/crypto/csa/csa.html

http://csrc.nist.gov/policies/FISMA-final.pdf

http://www.whitehouse.gov/deptofhomeland/bill/hsl-bill.pdf

http://www.opsi.gov.uk/ACTS/acts1998/19980029.htm

http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm

http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm

http://www.opsi.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm


EU Data retention rules - http://news.bbc.co.uk/1/hi/world/europe/4527840.stm

European Union Data Protection Directive (EUDPD) - http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=EN&numdoc=31995L0046&model=guichett

The Family Educational Rights and Privacy Act (FERPA) - (20 U.S.C. § 1232 g; 34 CFR Part 99) - http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html

Sarbanes-Oxley Act of 2002 - http://www.sarbanes-oxley.com/section.php?level=1&pub_id=Sarbanes-Oxley

Gramm-Leach-Bliley Act - http://www.ftc.gov/privacy/glbact/glbsub1.htm

Health Insurance Portability and Accountability Act - http://www.hhs.gov/ocr/hipaa/

Bank Secrecy Act/Anti Money-Laundering Act - http://www.irs.gov/businesses/small/article/0,,id=152532,00.html

http://news.bbc.co.uk/1/hi/world/europe/4527840.stm


USA PATRIOT Act (Public Law 107–56) - http://www.epic.org/privacy/terrorism/hr3162.html

Payment Card Industry Data Security Standard (PCI DSS) - https://www.pcisecuritystandards.org/tech/

California Senate Bill 1386 (CA SB 1386) - http://info.sen.ca.gov/pub/05-06/bill/sen/sb_1351-1400/sb_1386_bill_20060330_amended_sen.pdf

Basel II: International Convergence of Capital Measurement and Capital Standards: a Revised Framework - http://www.bis.org/publ/bcbs107.htm

Personal Information Protection and Electronic Documents Act (PIPEDA) - http://www.privcom.gc.ca/legislation/02_06_01_01_e.asp

Securities and Exchanges Commission (SEC) laws and regulations - http://www.sec.gov/about/laws.shtml

http://www.epic.org/privacy/terrorism/hr3162.html

https://www.pcisecuritystandards.org/tech/



http://info.sen.ca.gov/pub/05-06/bill/sen/sb_1351-1400/sb_1386_bill_20060330_amended_sen.pdf

http://info.sen.ca.gov/pub/05-06/bill/sen/sb_1351-1400/sb_1386_bill_20060330_amended_sen.pdf

http://www.bis.org/publ/bcbs107.htm

http://www.privcom.gc.ca/legislation/02_06_01_01_e.asp

http://www.sec.gov/about/laws.shtml

http://www.sec.gov/about/laws.shtml


Information Overload

The Internet presents “too much” information, often without validation

Information overload

I do not know all of what I know, and I do not know what you know.

We are both not necessarily working off the same information cache to arrive at our individual decisions on the same subject.

The Internet can be more misleading than the rumor mill.

Young minds, though more energetic, are also more susceptible.

We have to be able to channel everyone’s energy and creative spirit without leaving them vulnerable to being misled.


The Threat Landscape

Hobbyist Phase (1986-2000): Viruses written largely out of curiosity, or for bragging rightsPayloads tended to be limited to propagation, destruction, or

political/personal messages

Criminal/Commercial Phase (Early 2000s-Present): Bots, Backdoors, Password -Stealers, Spyware, Adware

Shift from parasitic to static malware; steep growth in malware creation rates

The point is stealth and data, and uncontrolled propagation is badfor business


The Threat Landscape – are numbers everything?

Quote from my teacher: “Ex pondere et numero veritas” (Latin) – From numbers and measurements – TRUTH

But today, celebrity/shock/scandal sells – so media pays “experts” to present numbers in a compliant fashion

Absorb without succumbing, and extract relevance

Consultantgurus USP – remove hype, reduce cost while improving security and efficiency


Industry Perspective - Increasing Volumes and Complexity of Malware

Source – McAfee Labs


Password Stealers (PWS) – a growing threat

Source – McAfee Labs


The need for security frameworks

The best method to ensure that security is consistent, on target and in tune with organizational expectations is to use a uniform and accepted methodology applied consistently to secure the organization’s information.

A well-formulated security framework allows the organization to plan, test, apply and security measures in a repeatable, measurable and auditable fashion. This allows the organization to plan forward without having to worry about compromising existing security or creating new security solutions for new strategies.

Your bridge to all things technolgy and compliance!

The need for policy – growing complexity on the data landscape

The below quote from the Commission of European Communities Paper – “Network and Information Security: Proposal for A European Policy Approach” highlights this.

“The proposed policy measures with regard to network and information security have to be seen in the context of the existing telecommunications, data protection, and cyber-crime policies. A network and information security policy will provide the missing link in this policy framework. The diagram below shows these three policy areas and illustrates with a few examples how they are interrelated:”

Source: http://www.usdoj.gov/criminal/cybercrime/intl/netsec_comm.pdf

http://www.usdoj.gov/criminal/cybercrime/intl/netsec_comm.pdf




The components of an security framework

1. Policy : The security policy defines the organizational stance with respect to the various aspects of information security

2. Standards: Standards allow the organization to set specific targets for individual security activities, and measure them against a common base.

3. Risk analysis: This allows the organization to understand the cost of security in light of the business need and requirement, and make a business decision/case for the need for security for each situation.

4. Procedures: Standardized procedures allow the security team to deploy security solution in accordance with organizational needs rapidly

5. Metrics: Metrics allow the organization to quantify security solutions and achievements, and compare performance historically.


The components of an security framework…continued

6. Audit: Audit is the feedback process used by the organization to measure the effectiveness of security

7. Governance: Traditionally, information technology has been treated as a function within or a component of information technology. However, with the use of information growing to cover of all of an organization’s functions instead of just the technology components, securing the information and ensuring that it stays secure is now an organization-wide responsibility. This requires:

• Education of all users in the need for security

• Organization-wide awareness of security policies and the need to protect information

• Senior management support for the security measures and processes


Popular security frameworks

• ISO 27001/17799[1]• COBIT (Control Objectives for Information and related Technology)[2]• NIST (National Institute of Standards and Technology) SP 800-53[3] /

SP 800-53A[4]• ITIL (Information Technology Infrastructure Library)[5]• DIACAP (DoD Information Assurance Certification and Accreditation

Process)[6]

[1] ISO 27001 - http://www.27001-online.com/secpols.htm [2] COBIT Executive Summary - http://www.isaca.org/AMTemplate.cfm?Section=Downloads&Template=/

ContentManagement/ContentDisplay.cfm&ContentID=34172 [3] NIST SP800-53 - http://csrc.nist.gov/publications/nistpubs/800-53/SP800-53.pdf [4] NIST SP800-53a - http://csrc.nist.gov/publications/drafts/800-53A/SP-800-53A-tpd-final-sz.pdf [5] ITIL and Security - http://www.itil-service-management-shop.com/security.htm [6] DIACAP Guidance - http://iase.disa.mil/ditscap/ditscap-to-diacap.html

http://www.27001-online.com/secpols.htm

http://www.isaca.org/AMTemplate.cfm?Section=Downloads&Template=/ContentManagement/ContentDisplay.cfm&ContentID=34172







http://csrc.nist.gov/publications/nistpubs/800-53/SP800-53.pdf

http://csrc.nist.gov/publications/drafts/800-53A/SP-800-53A-tpd-final-sz.pdf

http://www.itil-service-management-shop.com/security.htm

http://iase.disa.mil/ditscap/ditscap-to-diacap.html


Our solutions1. Firewalls

2. Proxy Servers

3. Intrusion detection/prevention systems

4. Network and system design/maintenance

5. Compliance audits

6. Performance audits

7. Security audits

8. Full service IT


Our solutions … continued

9. Secure remote access

10.Simplified threat management

11.Layered security

12.Policy-driven design

13.Regulation-compliant infrastructures

14.Managed services

15.Business justification is key to all work


Our solutions … continued 2

15.Digital surveillance

16.Video Surveillance

17.Alarm and monitoring systems and infrastructure

18.VoIP and Digital Phone systems

19.Unified communication networks

20.Media streaming and distribution systems

21.GPS trackers



BCM and DR planning

The importance of continuity plans

Why disaster recovery? How is it different from continuity plans

How does it help?

Relation to the larger security landscape

Shared BCM/DR might make functional and budgetary sense



The CSIRT – Computer Security Incident Response Team

Do all organizations need a CSIRT

Cost-benefit analysis

Shared resources

Our CSIRT – shared resource with guaranteed confidentiality


In summary

Security is not an event – it is a process.

Security is not a password, a firewall or encryption.

Security is a way of thinking, a way of processing, a process of correct use.

Security helps – if it hampers, it is not security.

Education is a necessary component – continuous education is a need.

Discipline and adherence to policy are a requirement.

Compliance is almost a natural offshoot of a secure structure.


The Consultantgurus solution – reduced cost and improved efficiency

Our partners share our philosophy of the simple approach.

We make security usable and user-friendly.

Our solutions are geared to improve efficiency rather than hamper productivity.

We want you to be successful – and help by demystifying security and compliance.

Our managed services can take on as much of your infrastructure as you want to off-load. We will take over the obsolescence worries, and you can focus on your productivity.

Consultantgurus – your technology partner !


Questions?


PRESENTING FORTINET – OUR DATA SECURITY PARTNER

Date post:	01-Jan-2016
Category:	Documents
Upload:	mufutau-kane
View:	25 times
Download:	0 times